phplist-plugin-restapi icon indicating copy to clipboard operation
phplist-plugin-restapi copied to clipboard
verified publisher icon phpList

POST <html> from php curl comes escaped - deal with it receiver-side?

Open labor4 opened this issue 9 years ago • 6 comments

Hi I'm using the API to build a submit connector for inserting whole <html> content with campaignAdd() to phplist. It seems to me that the sender's php curl must escape all quotes. So receiver-side the code is not valid as-is. In the API (include/campaigns.php) i need to do: stripslashes($_REQUEST['message'])

Is this something to consider for you DEVs, or am I only doing a bad approach?

Thanks Best Manu

labor4 avatar Sep 28 '16 16:09 labor4

Yes, there's an annoying discrepancy that needs a fix, which is quite tricky

phpList handles the content by duplicating the escaping somewhere. I haven't found it yet. The complication will be to make sure that a campaign added by phpList UI and phpList API are entered the same way. This is currently not the case, IIRC.

michield avatar Oct 20 '16 21:10 michield

(I dont know if the Email reply worked correctly, so this could become duplicated)

Hi Michiel Are you sure the core functionality is the issue?

Is is not that the API provides the case that finished Code is inserted (which is usually not the case with the GUI), and this is a very special case where an outside factor delivers a very special flavour of "material" (php curl)?

So I suggest it's more about handling the "special case", for example by giving a switch in the REST to tell the API to clean up?

Best M

labor4 avatar Oct 21 '16 13:10 labor4

Hi Michiel

Are you sure the core functionality is the issue?

Is is not that the API provides the case that finished Code is inserted (which is usually not the case with the GUI), and this is a very special case where an outside factor delivers a very special flavour of "material" (php curl)?

So I suggest it's more about handling the "special case", for example by giving a switch in the REST to tell the API to clean up?

Best M

Am 20.10.2016 um 23:10 schrieb Michiel [email protected]:

Yes, there's an annoying discrepancy that needs a fix, which is quite tricky

phpList handles the content by duplicating the escaping somewhere. I haven't found it yet. The complication will be to make sure that a campaign added by phpList UI and phpList API are entered the same way. This is currently not the case, IIRC.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/phpList/phplist-plugin-restapi/issues/39#issuecomment-255229235, or mute the thread https://github.com/notifications/unsubscribe-auth/ARnpb56Y-bOzw1UXgbkbeVhCq6vxP7OQks5q19izgaJpZM4KJBeF.

labor4 avatar Oct 25 '16 18:10 labor4

No, I'm not sure. It would need digging deeper to find out. Unfortunately I don't currently have the time for that.

michield avatar Oct 26 '16 19:10 michield

admin/inc/magic_quotes.php - looks like this "experiment" is bad

kofein avatar Apr 05 '17 19:04 kofein

as temporary solution remove slashes in admin/plugins/restapi/includes/campaigns.php:102 $stmt->bindParam('message', stripslashes($_REQUEST['message']), PDO::PARAM_STR);

kofein avatar Apr 05 '17 19:04 kofein